News:Furcadia suffers security breach

Furcadia players logged-in early this morning were surprised to find a list of usernames, emails and passwords arriving through the online news channel.[1]

The person behind the attack - who identified himself as "Uildiar"[2] - claimed to have root access to the server on which Furcadia runs, and access to the game source code, though a subsequent post by Felorin suggested otherwise.[3] He also claimed being behind past attacks on Fur Affinity.

The attacker's statements indicate that passwords were stored as the output of a SHA hash function with no salt. While this format does not grant immediate access, it is vulnerable to a precomputation attack. Reportedly many accounts using short or dictionary words as passwords - including some forum moderator and Dragon's Eye Productions staff accounts - were compromised, although some had already been changed.[4]

We apologize for the hacking attempt earlier today. It appears that the hacker was only able to get simple passwords, most of them being one or two english words, or a word and a one digit number. If you have a simple password we suggest changing it to be safe, at this link.

Any characters or Digo items that might have changed hands will be returned to their rightful owners, and the hacker will be banned from Furcadia for life. No other part of our servers, such as Digo Market info was compromised. More info will be posted to the Furcadia Forums shortly. We apologize for the disturbance, everything is under control now.

We've been able to analyze the attack and are pretty confident we understand how they were able to get the passwords. Both Farrier and Fox have been working this afternoon on three separate improvements to our security that should prevent the same method from being used to get anybody's password, ever again. — Felorin[3]

I, for one, was terrified. One of the passwords posted WAS correct for my alt, and I had to change the email and password several times. — Eisu[5]

Many of the people who appeared on the hacker's list had very simple passwords. I suspect that if their passwords were more complex, they would not have appeared on the list. — Thatcher[6]

He/she chose to contact a volunteer instead of an official staff member and released the information based solely on that fact. There's no justification. If he/she had made an attempt to contact Gar, Emmie, Cir, or Fel with the information first and sat on awaiting a reply BEFORE posting it, it could be considered justified. (And I use that word loosely.) Obviously, he didn't. — Cheez[7]